Depuis quelques temps je cherche a savoir ce qui se passe sur mes serveurs... donc je lis le syslog et quelques autres logs... ca prend (un peu) de temps... (en fait beaucoup...).
Comme les logs des services sont copieux, pour faciliter l’analyse en cas de problèmes, un outil comme ceux-ci sont nécessaires pour vous informer en un coup d’oeil.
Logwatch
Le principe de Logwatch est simple : quotidiennement, il va lire les logs de votre serveur pour en extraire les informations du jour, les trier et vous envoyer le résumé par mail.
cela s'installe simplement:
apt-get install logwatch
et ca donne par défaut un résultat satisfaisant...
Performance amavisd et clamav, dovcot event statistics et aussi erreurs, postfix, les upgrades et installation qui ont été faites depuis 24h... le fail2ban, les erreurs apache (403, 404, 405, ...) sshd, et aussi l'espace disque...
Bref ca fait le café pour avoir une idée de ce qui se passe... et ca se configure comme toujours via /etc/logwatch/conf/logwatch.conf
iI faut juste penser a mettre le "MailTo" correctement et de vérifier que le paramêtre "mailer" soit correcte (sinon ca marche moins bien).
Vous trouverez aussi quelque options intéressantes...
Dans le dossier /etc/logwatch/conf/services/ se trouvent tous les fichiers de config pour chacun des services qui sont surveillés
Pas grand chose de plus a dire, si ce n'est d'explorer les fichiers de /etc/logwatch, et que c'est une simple tache cron qui s'occupe de l'executer...
La gestion des services surveillés par Logwatch se fait via le paramêtre Service=
fichier de configuration minimal:
LogDir = /var/log
MailTo =
email@domain.lolFormat = text
Service = All
mailer = "/usr/sbin/sendmail -t"
Logcheck
Beaucoup plus complexe outils... ce dernier parcours les logs que vous lui demandez à la recherche des anomalies... (par défaut presque tout est une anomalie pour logcheck) et vous envois le résultat par email toutes les heures...
La configuration se fait via /etc/logcheck/logcheck.conf rien de neuf dans ce fichier
mais le plus gros est en fait dans les regex qui filtrent les logs... voici mes fichiers en plus:
amavis-extra
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed CLEAN \{RelayedInbound\}, \[[[:xdigit:].:]{3,39}\]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Passed SPAMMY \{RelayedTaggedInbound\}, \[[[:xdigit:].:]{3,39}\]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ amavis\[[[:digit:]]+\]: \([-[:digit:]]+\) Blocked SPAM \{NoBounceInbound,Quarantined\}, \[[[:xdigit:].:]{3,39}\]
dovcot-extra
# dovecot: imap({email}): Disconnected: Disconnected in IDLE in={bytes} out={bytes}
# dovecot: imap({email}): Disconnected: Logged out in={bytes} out={bytes}
# dovecot: imap({email}): Disconnected for inactivity in={bytes} out={bytes}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Disconnected(: Disconnected in IDLE|: Logged out| for inactivity) in=[[:digit:]]+ out=[[:digit:]]+$
# dovecot: imap({email}): Connection closed in={bytes} out={bytes}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): Connection closed in=[[:digit:]]+ out=[[:digit:]]+$
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, secured, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS: Disconnected, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS: SSL_{method}() failed: {error}, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS: SSL_{method}() syscall failed: {error}, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS handshaking: Disconnected, session=<{session_id>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS handshaking: SSL_{method}() failed: {error}, session=<{session_id}>
# dovecot: imap-login: Disconnected (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS handshaking: SSL_{method}() syscall failed: {error}, session=<{session_id}>
# dovecot: imap-login: Disconnected: Inactivity (no auth attempts in {s} secs): user=<>, rip={ip}, lip={ip}, TLS handshaking, session=<{session_id>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Disconnected(: Inactivity)? \(no auth attempts in [[:digit:]]+ secs\): user=<>, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, (TLS( handshaking)?(: Disconnected|: (SSL_[[:alnum:]]+)\(\) (syscall )?failed: [:._[:space:][:alnum:]-]+)?|secured), session=<[-\/+_[:alnum:]]+>$
# dovecot: imap-login: Login: user=<{email}>, method={method}, rip={ip}, lip={ip}, mpid={mpid}, {SAME_MATCHES_AS_ABOVE}, session=<{session_id}>
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (pop3|imap)-login: Login: user=<[-_.@[:alnum:]]+>, method=[[:alnum:]-]+, rip=[.:[:xdigit:]]+, lip=[.:[:xdigit:]]+, mpid=[[:digit:]]+, (TLS( handshaking)?(: Disconnected|: (SSL_[[:alnum:]]+)\(\) (syscall )?failed: [:._[:space:][:alnum:]-]+)?|secured), session=<[-\/+_[:alnum:]]+>$
# dovecot: lmtp({id}): Disconnect from local: Client quit (in reset)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: lmtp\([[:alnum:]]+\): (Connect|Disconnect) from ([._[:alnum:]-]+)(: Client quit \(in reset\))?$
# dovecot: lmtp({id}, {email}): {session_id}: msgid=<{message_id}>: saved mail to {mailbox}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: (deliver|lda|lmtp)\(([[:alnum:]]+, )?[-_.@[:alnum:]]+\): [-\/+_[:alnum:]]+: msgid=<?[^\(]*>?( \((added by [^[:space:]]+|sfid-[_[:xdigit:]]+)\)?)?[[:space:]]*: (saved mail to [-_.[:alnum:]]+|(forwarded|discarded duplicate forward) to <[^[:space:]]+>)$
# dovecot: mysql({hostname}): Connected to database {database}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: auth-worker\([[:digit:]]+\): (pg|my)sql\([._[:alnum:]-]+\): Connected to database [._[:alnum:]-]+$
# dovecot: imap({email}): copy from INBOX: box=Trash, uid={id}, msgid=<{messageid}>, size={size}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): copy from [[:alnum:]]+: box=[[:alnum:]\/]+, uid=([[:alnum:]]+), msgid=
# dovecot: imap({email}): expunge: box=INBOX, uid={id}, msgid=<{messageid}>, size={size}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ dovecot: imap\([-_.@[:alnum:]]+\): (expunge|save|delete): box=([[:alnum:]\/]+), uid=([[:alnum:]]+),
freshclam-extra
# freshclam[21783]: WARNING: Your ClamAV installation is OUTDATED!# freshclam[21783]: WARNING: Local version: 0.98.7 Recommended version: 0.99# freshclam[21783]: DON'T PANIC! Read http://www.clamav.net/support/faq# freshclam[21783]: bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ freshclam\[[[:digit:]]+\]: (WARNING:|DON'T PANIC!)
# freshclam[21783]: bytecode.cld is up to date (version: 271, sigs: 47, f-level: 63, builder: anvilleg)^\w{3} [ :0-9]{11} [._[:alnum:]-]+ freshclam\[[0-9]+\]: (daily|main|bytecode)\.c(l|v)d (is up to date|updated) \(version: [0-9]+, sigs: [0-9]+, f-level: [0-9]+, builder: \w+\)$
postfix-extra
# postfix/lmtp[{id}]: {message_queue_id}: to=<{email}>, relay={hostname}[private/dovecot-lmtp], delay={delay}, delays={delays}, dsn={notifications}, status=sent (250 {notifications} <{email}> {session_id} Saved)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/[ls]mtp\[[[:digit:]]+\]: [[:upper:][:digit:]]+: to=<[^[:space:]]+>,( orig_to=<[^[:space:]]+>,)? relay=[^[:space:]]+,( conn_use=[[:digit:]]+,)? delay=[.[:digit:]]+,( delays=[.[:digit:]/]+, dsn=[[:digit:].]+,)? status=sent \(250 [[:digit:].]+ <[^[:space:]]+> [-\/+_[:alnum:]]+ Saved\)$
# postfix/smtpd[{id}]: warning: hostname {hostname} does not resolve to address {ip}: No address associated with hostname
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/[ls]mtpd\[[[:digit:]]+\]: warning: hostname [^[:space:]]+ does not resolve to address ([[:xdigit:].:]{3,39})+(: No address associated with hostname)?$
# postfix/dnsblog[{pid}]: addr {ip} listed by domain {server} as {ip}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/dnsblog\[[[:digit:]]+\]: addr [.:[:xdigit:]]+ listed by domain (bl.spamcop.net|b.barracudacentral.org|zen.spamhaus.org|bl.mailspike.net) as [.:[:xdigit:]]+$
# postfix/cleanup[{pid}]: {alphanum}: reject: body {blabla}; from=<{email}> to=<{email}> proto=ESMTP helo=<{host}>: 5.7.1 Error number 500021.
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/cleanup\[[[:digit:]]+\]: [[:alnum:]]+: reject: body
# [._[:alnum:]-]+; from=<[-_.@[:alnum:]]+> to=<[-_.@[:alnum:]]+> proto=ESMTP helo=<[^[:space:]]+>: 5.7.1 Error number 500021.$
# postfix/postscreen[{pid}]: PASS NEW [{ip}]:{port}
# postfix/postscreen[{pid}]: CONNECT from [{ip}]:{port} to [{ip}]:{port}
# postfix/postscreen[{pid}]: PASS OLD [{ip}]:{port}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/postscreen\[[[:digit:]]+\]:
# postfix/anvil[18236]: statistics: max connection rate 1/60s for (smtpd:{ip}) at {date}
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max connection rate [[:digit:]]+/60s for \(smtpd:[[:xdigit:].:]{3,39}\)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/anvil\[[[:digit:]]+\]: statistics: max connection count [[:digit:]]+ for \(smtpd:[[:xdigit:].:]{3,39}\)
# postfix/tlsproxy[4633]: CONNECT from [{ip}]
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/tlsproxy\[[[:digit:]]+\]: (Anonymous TLS connection|CONNECT|DISCONNECT)
# postfix/smtpd[21934]: Anonymous TLS connection established from o3.em2.couchsurfing.com[167.89.78.96]: TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)
^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+ postfix/smtpd\[[[:digit:]]+\]: Anonymous TLS connection established from